The Forbes Insights section presents thought leadership content and original research from the Forbes Insights Practice, the Thought Leadership research division of Forbes Media. Forbes Insights conducts research on a host of topics of interest to C-level executives, senior marketing professionals, small business owners and those who aspire to positions of leadership, as well as providing deep insights into issues and trends surrounding wealth creation and wealth management.

Protecting Your Company's Reputation in a Heartbleed World

The Heartbleed vulnerability claimed its first known victim: at least 900 Canadian taxpayers, who had their personal data compromised in the middle of tax season. Canada’s tax agency made the announcement today, after temporarily shutting down its online access last Wednesday to deal with the vulnerability. The Heartbleed Bug is a serious vulnerability in the OpenSSL software used by over two-thirds of active sites on the Internet to encrypt data, according to the researchers who discovered the bug (http://heartbleed.com/). Now, the race is on as any organization that uses OpenSSL rushes to fix the vulnerability before hackers can creep in to steal more data.

The Heartbleed Bug is just the latest stark reminder: even very tech-savvy companies can run serious risks without being aware of them.

Technology professionals and business continuity experts already know how expensive an IT security breach or business disruption can be, according to a new Forbes Insights report in association with IBMIBM, “Fallout: The Reputational Impact of IT Risk.” Lost revenues, downtime and the cost of restoring systems can accrue at the rate of $50,000 per minute for a minor disruption, according to the business continuity and IT security executives who responded to the IBM Global Study on the Economic Impact of IT Risk conducted by Ponemon Institute. But what about the greater toll a sustained outage or major security breach can take on a company’s reputation?

Firms surveyed in a similar IBM study conducted in 2012 reported that the reputational damage lasts months— far longer than recovery times and long enough to affect quarterly results in most cases. For a major incident, such as the data breach suffered by U.S. retailers over the Christmas holiday, for example, the effects could last years. Reputation has always been a thorny thing to value in dollar terms. But there are costs associated with a disruption or breach that can be measured.

Estimated Reputation-Related Costs Resulting From Disruption To Business Or Its Operations Over The Next 24 Months:

Minor: $20,929

Moderate: $468,309

Substantial: $5,274,523

Source: The economics of IT risk and reputation: What business continuity and IT security really mean to your organization, September 2013

If customers can’t log on to your site, you not only lose a sale today, but you also risk losing future business, particularly for retailers. For financial institutions, a security breach can scare away customers and open the door to fraud. A network outage for any telecom or IT company may leave clients wondering why they should trust their own reputation to a vendor who might make them look incompetent. This is particularly true for the providers and the users of cloud technology.

Winning back trust also has a cost. Just ask the staff at retailers who worked around the clock through the Christmas holiday, trying to answer questions from customers and the press. The retailers involved are trying hard to put their customers first by promising zero-liability protection for any fraudulent activity as a result of the breach. But the head of any organization would be wondering at this point: “What could we have done differently before this happened?”

The retailers involved still have many questions to answer. The malware used in at least one attack was a relatively unsophisticated, off-the-shelf exploit kit that can be easily modified and redistributed with little programming skill or knowledge of malware functionality, says software security firm McAfee in its fourth-quarter security report. According to McAfee Chief Technology Officer Michael Fey, defending against such an attack doesn’t require a new silver bullet; it requires a cost-effective way of deploying technology that already exists. And the problems persist; another retailer reported a fresh attack just last month.

“You will be held accountable for what you did or didn’t do in the months and years leading up to a crisis,” explains Prof. Daniel Diermeier, the IBM Professor of Regulation and Competitive Practice at the Department of Managerial Economics and Decision Sciences at the Kellogg School of Management. “You are only as good as the decisions you made when you put your systems in place.”

Common Threats Ranked In Terms Of Reputational Impact

1. Data breach/data theft

2. Natural or manmade disasters

3. IT system failure

4. Data loss (backup/restore failure)

5. Cyber security breach/advanced persistent threats

6. Human error

7. Third-party partner security breach or IT system failure

Source: The economics of IT risk and reputation: What business continuity and IT security really mean to your organization, September 2013

From underground hacker networks to complex supply chains, the threats to IT security and business continuity are proliferating—and so are the ways to deal with them. The best solutions extend beyond the boundaries of the IT department or business continuity team. Security and resilience affect nearly every part of an organization in the always-on world. Working through the challenges of emerging technologies, such as implementing a cloud strategy, can be a means to reassess not only data storage and transmission but any business function that requires data: compliance, finance and human resources, for example.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.